36 lines
1,009 B
Nix
36 lines
1,009 B
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
# https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
|
|
nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" ''
|
|
case $SSH_ORIGINAL_COMMAND in
|
|
"nix-daemon --stdio")
|
|
exec ${config.nix.package}/bin/nix-daemon --stdio
|
|
;;
|
|
"nix-store --serve --write")
|
|
exec ${config.nix.package}/bin/nix-store --serve --write
|
|
;;
|
|
*)
|
|
echo "Access only allowed for using the nix remote builder" 1>&2
|
|
exit
|
|
esac
|
|
'';
|
|
in
|
|
{
|
|
options.nixCommunity.remote-builder.key = lib.mkOption {
|
|
type = lib.types.singleLineStr;
|
|
default = null;
|
|
description = "ssh public key for the remote build user";
|
|
};
|
|
|
|
config.users.users.nix.openssh.authorizedKeys.keys = [
|
|
# use nix-store for hydra which doesn't support ssh-ng
|
|
''restrict,command="${nix-ssh-wrapper}" ${config.nixCommunity.remote-builder.key}''
|
|
];
|
|
|
|
config.nix.settings.trusted-users = [ "nix" ];
|
|
}
|